SCP: A Computationally Scalable Byzantine Consensus Protocol for Blockchains Loi Luu, Viswesh Narayanan, Kunal Baweja, Chaodong Zheng, Seth Gilbert, Prateek Saxena National University of Singapore

Bitcoin doesn’t scale Hard coded parameters – 1 block per 10 minutes – 1 MB block size – 7 TXs per second Today – 1-2 TXs per second – VISA: 10, 000 TXs per second

Our solution: SCP Scale up throughput several orders of magnitude – Without degrading any security guarantee Several blocks in each epoch – No. of blocks ≈ network computation capacity Require minimum network bandwidth – Broadcast only one block header

Byzantine consensus problem Problem – N nodes, f are malicious – Propose and agree on one value Byzantine consensus for blockchains – Set of valid TXs per epoch 0/1 Block i Block i-2 Block i-1

Classical byzantine consensus protocol Intensive research Can tolerate f < n/2 xAssumption of known identity set xBandwidth limited – O(n 2 ) messages (e.g. PBFT) – Work for a small network (e.g n < 1000)

Nakamoto consensus protocol Work for network of any size Select leader by proof of work Linear message complexity xDoes not scale well in practice xOne block per epoch xBandwidth = O(block size) xReparameterization is not a long term solution

Reparameterization: reducing epoch time Setup Using Amazon EC2 Run over 5 regions Results TX rate increases until some threshold Drops at 12 second epoch time

Problem Secure & scalable consensus protocol – Compete with VISA?

SCP overview Adjust throughput based on network mining power – Split the network into several committees – Committees propose blocks in parallel – No. of committees ≈ F(network mining capacity) Data needed for reaching consensus is minimal – Consensus data != transactional data – Verify block without block data – Selectively download block data

SCP protocol 2 2 Blk Header Data Blk 3 3 Consensus Blk

Step 1: Identity establishment Solve PoW – SHA2(EpochRandomness || IP || pubkey || nonce) < D IDPoWIPPubkey …a.b.c.dABC… …a.b.c.eDEF…..……….

Step 2: Assigning committees Randomly & uniformly distribute identities to committees – Based on the last k bits of PoW IDPoW … … … …11..… 00001… … … …01 … …

Size of a committee C Decide the probability of majority honest – P(error) reduces exponentially with C f = N/3, C = 400, p(error) ≈ f = N/3, C = 100, p(error) ≈ Why majority honest within a committee? – Run practical authenticated BFT – Allow others to verify committee’s block without block’s data At least 1 member is honest in any (C/2 + 1) members

Step 3: Propose a block within a committee Run a classical Byzantine consensus protocol – Members agree & sign on one valid data block – No. of messages ≈ O(C 2 ) TX sets included in data blocks are disjoint – Include TXs with a specific prefix BlockTX’s IDS Data Block 100… Data Block 201… Data Block 310… Data Block 411…

Step 4: Final committee unions all results 00001… … … …10 … … 00001… …00 … Header of Data Block 1 Header of Data Block 2 Propose a consensus block 00000… …11 … Header of Data Block 3

SCP blockchain Consensus block i-1 Consensus block i Consensus block i+1 Data block 1Data block 2 Data block 3

Step 5: Generate an epoch randomness Goal – Generate a fresh randomness – Adversary cannot control or predict Common approach: Use consensus block hash – Problem: adversary can predict the consensus block early Our approach: Users can have different randomness Commit R i in SHA2(R i ) when join the committee Agree on the consensus block Broadcast the block header and R i Use any c/2 R i as the epoch randomness

Implement a SCP-based cryptocurrency Challenges – How to form committees efficiently Too many new identities in each epoch Epoch time may be long to prevent conflict – Double spending transactions Without previous block data? Input 0x123…Input 0x123..

Forming committees efficiently Approach: Reuse identities from previous epoch – Elect one new member and remove the oldest one – Number of new identities ≈ number of committees … … C-2 C-1 C C C+1 1 st Epoch 2 nd Epoch 3 rd Epoch

Avoid double spending Approach: – Split double spending check into both miners and users (recipients) Double spending Across blocks Within a block Checked by committee members Checked by recipients* *: Proof-of-publicationProof-of-publication

Checking double spending across blocks Merkle tree of TX inputs – An input is spent in a block Proof of size log(N) – An input is not spent in a block Proof of size 2*log(N) All leaves are sorted Prove that 5 is not included?

Checking double spending across blocks (2) Sender proves that the TX’s input is not spent elsewhere – The proof of size L*log(N) – Can be optimized Recipient checks by using only consensus block headers – Actively support SPV clients without a trusted third party – Support 1-confirmation TXs

Conclusion SCP scales almost linearly with network mining capacity – More mining power, higher transaction rate – Reduced network bandwidth – Secure Applicable to several applications – Cryptocurrency, decentralized database, etc

Q&A Loi Luu

Future work Incentive structure – Incentivize committee members and other parties Prevent DoS attack by sending invalid TXs – Users can send arbitrary TXs to the blockchain now Rollback solution – P(error) != 0

Related work Bitcoin-NG & Ghost Allow more blocks xDoes not separate consensus plane and data plane Lighting network Allows more micro transactions xDoes not solve scalability problem Sidechains Good for experimenting new blockchains xDoes not make Bitcoin scalable

Adjusts number of committees frequently Similar to how Bitcoin adjusts the block difficulty – T: the expected epoch time – T’: the averaged epoch time of the most 1000 recent blocks – S: Current number of committees – S’: adjusted number of committees

Consensus Block Previous Block HashTimestamp Committee signatures Global Merkle Root Data block commitments No.Data Block’s hash Merkle root of TXs 10x123abc…… 20x123456…… Data Block 1 Previous Consensus Blk Merkle root commitment of TXs Block hashNo. of TXs Committee signatures Timestamp Included TXs Data Block 2 Previous Consensus Blk Merkle root commitment of TXs Block hashNo. of TXs Committee signatures Timestamp Included TXs

SCP properties Number of data blocks ≈ network mining power – Frequent adjustment of no. of blocks Data broadcast to the network is minimal – Broadcast data is independent of block size Secure against adaptive adversary w.h.p. – Can reparameterize c to secure against stronger adversary